OpenAFS CVS Commit: openafs/src/WINNT/afsd by jaltman

cvs@GRAND.CENTRAL.ORG cvs@GRAND.CENTRAL.ORG
Sun, 11 Jul 2004 17:23:07 EDT


Update of /cvs/openafs/src/WINNT/afsd
In directory GRAND.CENTRAL.ORG:/home/jaltman/openafs/cvs-tree/src/WINNT/afsd

Modified Files:
	afsd_init.c afskfw.c cm.h smb.c smb.h smb3.c smb3.h 
Log Message:
DELTA smb-auth-20040711
AUTHOR jaltman@mit.edu

Over last several years significant efforts have been made to work around
the inability to protect user tokens from use by inappropriate entities.
The tokens are associated with a given userid and session by a combination
of an SMB based ioctl and an authenticated/encrypted RPC.  This has opened
the door for tokens to be borrowed by other users if they could connect
to the same SMB server with the identical userid.  This was trivially 
possible because the SMB connections were unauthenticated.  

This patch adds two forms of authenticated SMB connections: NTLM and 
Extended Security (aka GSS SPNEGO).  By default Extended Security mode
is used.  This patch has been tested on 2000 workstation, 2000 server,
XP SP1, and 2003 Server, and XP SP2 RC2.  The Extended Security works on
all platforms except for XP SP2 RC2 regards of whether or not the machine
is part of a domain or not; and whether or not a local or domain account
is used.

On XP SP2 RC2, attempts to use negotiate Extended Security result in a
Logon Denied error from AcceptSecurityContext() and a substatus code of
0x7C90486A is logged to the Security Event log via the NTLM SSP.
The SMB AUTH NTLM mode succeeds on XP SP2 RC2.  

Disabling SMB Authentication or specifying the use of NTLM mode may be done
via the registry.

Value   : smbAuthType
Type    : DWORD {0..2}
Default : 2

  If this value is specified, it defines the type of SMB authentication
  which must be present in order for the Windows SMB client to connect
  to the AFS Client Service's SMB server.  The values are:
    0 = No authentication required
    1 = NTLM authentication required
    2 = Extended (GSS SPNEGO) authentication required
  The default is Extended authentication






--- DELTA config follows ---
smb-auth-20040711 openafs/src/WINNT/afsd/afsd_init.c 1.32 1.33
smb-auth-20040711 openafs/src/WINNT/afsd/afskfw.c 1.7 1.8
smb-auth-20040711 openafs/src/WINNT/afsd/cm.h 1.7 1.8
smb-auth-20040711 openafs/src/WINNT/afsd/smb.c 1.42 1.43
smb-auth-20040711 openafs/src/WINNT/afsd/smb.h 1.10 1.11
smb-auth-20040711 openafs/src/WINNT/afsd/smb3.c 1.32 1.33
smb-auth-20040711 openafs/src/WINNT/afsd/smb3.h 1.5 1.6